[ovs-dev] [PATCH 1/7] ovn-northd: Split ACL and pre-ACL processing.
Gurucharan Shetty
guru at ovn.org
Wed Jun 29 08:17:05 UTC 2016
Future patches introduce more tables between
pre-ACL and ACL processing. As such, it looks
easier to separate these out into separate
functions to enhance code readability.
Signed-off-by: Gurucharan Shetty <guru at ovn.org>
Acked-by: Ben Pfaff <blp at ovn.org>
---
ovn/northd/ovn-northd.c | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index c2cf15e..97ddf80 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -1329,7 +1329,8 @@ has_stateful_acl(struct ovn_datapath *od)
}
static void
-build_acls(struct ovn_datapath *od, struct hmap *lflows, struct hmap *ports)
+build_pre_acls(struct ovn_datapath *od, struct hmap *lflows,
+ struct hmap *ports)
{
bool has_stateful = has_stateful_acl(od);
struct ovn_port *op;
@@ -1339,12 +1340,6 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows, struct hmap *ports)
ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 0, "1", "next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 0, "1", "next;");
- /* Ingress and Egress ACL Table (Priority 0): Packets are allowed by
- * default. A related rule at priority 1 is added below if there
- * are any stateful ACLs in this datapath. */
- ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 0, "1", "next;");
- ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 0, "1", "next;");
-
/* If there are any stateful ACL rules in this dapapath, we must
* send all IP packets through the conntrack action, which handles
* defragmentation, in order to match L4 headers. */
@@ -1385,7 +1380,21 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows, struct hmap *ports)
* the return traffic needs to be followed. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 100, "ip", "ct_next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 100, "ip", "ct_next;");
+ }
+}
+static void
+build_acls(struct ovn_datapath *od, struct hmap *lflows)
+{
+ bool has_stateful = has_stateful_acl(od);
+
+ /* Ingress and Egress ACL Table (Priority 0): Packets are allowed by
+ * default. A related rule at priority 1 is added below if there
+ * are any stateful ACLs in this datapath. */
+ ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, 0, "1", "next;");
+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, 0, "1", "next;");
+
+ if (has_stateful) {
/* Ingress and Egress ACL Table (Priority 1).
*
* By default, traffic is allowed. This is partially handled by
@@ -1495,7 +1504,8 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,
continue;
}
- build_acls(od, lflows, ports);
+ build_pre_acls(od, lflows, ports);
+ build_acls(od, lflows);
}
/* Logical switch ingress table 0: Admission control framework (priority
--
1.9.1
More information about the dev
mailing list